Core Components#
ClusterIssuer Configuration#
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: letsencrypt-prod-account-key
solvers:
- http01:
ingress:
class: nginx
- dns01:
cloudflare:
email: [email protected]
apiTokenSecretRef:
name: cloudflare-api-token
key: api-token
Certificate Management#
Wildcard Certificate#
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-cert
namespace: cert-manager
spec:
secretName: wildcard-tls
commonName: "*.example.com"
dnsNames:
- "*.example.com"
- "example.com"
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
usages:
- digital signature
- key encipherment
- server auth
Production Implementation#
# Complete cert-manager setup
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: production-certs
namespace: production
spec:
secretName: production-tls
duration: 2160h # 90 days
renewBefore: 360h # 15 days
subject:
organizations:
- Example Corp
commonName: api.example.com
dnsNames:
- api.example.com
- web.example.com
- admin.example.com
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
keystores:
jks:
create: true
passwordSecretRef:
name: jks-password
key: password
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: secured-ingress
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- api.example.com
- web.example.com
secretName: production-tls
rules:
- host: api.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: api-service
port:
number: 80